February 10, 2014

Hackers Flood, Crash Smartphones Using New Snapchat Security Flaw

A security vulnerability in the popular Snapchat messaging app allows hackers to disable or slow smartphones by flooding a user with incoming messages, according to a new report from Spanish cyber-security researcher Jamie Sanchez.

Snapchat is a messaging service that allows users to pass photo and video messages back and forth. These images or videos are typically set to disappear a few seconds after they are opened by their recipients.

The type of attack, uncovered by Sanchez in his spare time, is reminiscent of a so-called denial-of-service attack used in countless cyber-attacks. It overwhelms a user’s account to the point that the device running the app can freeze and crash, possibly requiring the user to reset the device to restore its full capabilities.

“We are working to resolve the issue and will be reaching out to the security researcher who publicized the attack to learn more,” Snapchat said, according to TechCrunch.

Whenever a user tries to send something through Snapchat – a token, which is a string of characters, is generated to validate their identity. Sanchez, who posted his security findings on seguridadofensiva.com, said a defect within Snapchat’s system allows hackers to recycle old tokens to send out new messages.

This flaw permits would-be hackers to send enormous amounts of messages. This method might be used by spammers to send messages en masse to countless users, or it might be used to launch a cyber-attack on specific individuals, Sanchez wrote.

As a demonstration, Sanchez launched a denial-of-service-style attack on the account of Los Angeles Times reporter Salvador Rodriguez. Rodriguez said his account was flooded with 1,000 messages in about five seconds, which froze the reporter’s iPhone, shut it down and restarted it.

According to reports, the attack does not shut down Android devices – it does significantly slow them down, however.

Sanchez told the Times that he did not contact Snapchat directly about his discovery because he claims the company does not respect the cyber security research community. Sanchez cited security advice issued in August and on Christmas Eve from Gibson Security that he said was ignored. Gibson predicted that a defect within the app could be used to hack into user data. On New Year’s Eve, a hacker collective exploited that vulnerability and published the user names and phone numbers of almost 5 million Snapchat users.

“They warned Snapchat about issues -- about the possible dump of database -- and Snapchat didn't care,” he said.

When the Times approached Snapchat about the vulnerability discovered by Sanchez, its official response was that it was unaware of any such defect.

“We are interested in learning more and can be contacted at [email protected]," a Snapchat spokeswoman said via email.

Hubris appears to be a reoccurring theme with Snapchat as the company rebuffed an approximately $3 billion buyout from Facebook back in November. According to media reports, Snapchat’s 23-year-old co-founder and CEO Evan Spiegel said he would not consider an acquisition or an investment at least until early 2014. Revelations surrounding the newly uncovered security flaw would undoubtedly complicate any ongoing or future talks.